Add support for extra attributes oauth2 client

omkark-google · omkark-google · commit 33b9d3dbab8a · 2025-01-23T00:47:47.000Z
fields to create workforce pool operation. This address the gap between newly added support in Gcloud command of iam create workforce pool provider and iam update workforce pool provider. Fixes hashicorp/terraform-provider-google#20862 ``` iam: added `extra_attributes_oauth2_client` field to `google_iam_workforce_pool_provider` SAML resource ```
diff --git a/mmv1/products/iamworkforcepool/WorkforcePoolProvider.yaml b/mmv1/products/iamworkforcepool/WorkforcePoolProvider.yaml
@@ -80,6 +80,7 @@ examples:
       org_id: 'ORG_ID'
     ignore_read_extra:
       - 'oidc.0.client_secret.0.value.0.plain_text'
+      - 'extra_attributes_oauth2_client.0.client_secret.0.value.0.plain_text'
   - name: 'iam_workforce_pool_provider_oidc_upload_key'
     primary_resource_id: 'example'
     vars:
@@ -388,7 +389,7 @@ properties:
       The configuration for OAuth 2.0 client used to get the additional user
       attributes. This should be used when users can't get the desired claims
       in authentication credentials. Currently this configuration is only
-      supported with OIDC protocol.
+      supported with SAML and OIDC protocol.
     properties:
       - name: 'issuerUri'
         type: String
diff --git a/mmv1/templates/terraform/examples/iam_workforce_pool_provider_oidc_full.tf.tmpl b/mmv1/templates/terraform/examples/iam_workforce_pool_provider_oidc_full.tf.tmpl
@@ -12,7 +12,7 @@ resource "google_iam_workforce_pool_provider" "{{$.PrimaryResourceId}}" {
     "google.subject"  = "assertion.sub"
   }
   oidc {
-    issuer_uri        = "https://accounts.thirdparty.com"
+    issuer_uri        = "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0"
     client_id         = "client-id"
     client_secret {
       value {
@@ -25,6 +25,19 @@ resource "google_iam_workforce_pool_provider" "{{$.PrimaryResourceId}}" {
       additional_scopes         = ["groups", "roles"]
     }
   }
+  extra_attributes_oauth2_client {
+    issuer_uri       = "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0"
+    client_id        = "client-id"
+    client_secret {
+        value {
+          plain_text = "client-secret"
+        }
+      }
+    attributes_type = "AZURE_AD_GROUPS_MAIL"
+    query_parameters {
+        filter      = "mail:sales"
+    }
+  }
   display_name        = "Display name"
   description         = "A sample OIDC workforce pool provider."
   disabled            = false
diff --git a/mmv1/templates/terraform/examples/iam_workforce_pool_provider_saml_full.tf.tmpl b/mmv1/templates/terraform/examples/iam_workforce_pool_provider_saml_full.tf.tmpl
@@ -14,6 +14,19 @@ resource "google_iam_workforce_pool_provider" "{{$.PrimaryResourceId}}" {
   saml {
     idp_metadata_xml  = "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>"
   }
+  extra_attributes_oauth2_client {
+    issuer_uri       = "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0"
+    client_id        = "client-id"
+    client_secret {
+        value {
+          plain_text = "client-secret"
+        }
+      }
+    attributes_type = "AZURE_AD_GROUPS_MAIL"
+    query_parameters {
+        filter      = "mail:gcp"
+    }
+  }
   display_name        = "Display name"
   description         = "A sample SAML workforce pool provider."
   disabled            = false
diff --git a/mmv1/third_party/terraform/services/iamworkforcepool/resource_iam_workforce_pool_provider_test.go.tmpl b/mmv1/third_party/terraform/services/iamworkforcepool/resource_iam_workforce_pool_provider_test.go.tmpl
